Module 6 Configure Remote Access VPN

(1)

Network Security 2

Module 6 – Configure Remote

Access VPN

(2)

Learning Objectives

–6.1 Introduction to Cisco Easy VPN –6.2 Configure the Easy VPN Server

–6.3 Configure Easy VPN Remote for the Cisco VPN Client 4.x

–6.4 Configure Cisco Easy VPN Remote for

Access Routers

(3)

Module 6 – Configure Remote Access VPN

6.1 Introduction to Cisco

EasyVPN

(4)

Cisco Easy VPN Components

• The Cisco Easy VPN is made up of two components – – Easy VPN Server – Enables Cisco IOS routers, Cisco

PIX Security Appliances, and Cisco VPN 3000 Series Concentrators to act as VPN head-end devices in

site-to-site or remote-access VPNs, where the remote office devices are using the Cisco Easy VPN Remote feature

– Easy VPN Remote – Enables Cisco IOS routers,

Cisco PIX Security Appliances, and Cisco VPN 3000

Hardware Clients or Software Clients to act as remote

VPN Clients

(5)

Remote Access Using Cisco Easy VPN

PC with Easy Remote VPN Client 4.x

Cisco 800 Router

Cisco VPN 3002 Hardware Client Cisco PIX Security Appliance 501

Cisco IOS router 12.3(11)T (or later) Easy VPN Server

(6)

Easy VPN Remote Connection Process

– Step 1 – The VPN Client initiates the IKE Phase 1 process.

– Step 2 – The VPN Client establishes an ISAKMP SA.

– Step 3 – The Easy VPN Server accepts the SA proposal.

– Step 4 – The Easy VPN Server initiates a username/

password challenge.

– Step 5 – The mode configuration process is initiated.

– Step 6 – The RRI process is initiated.

– Step 7 – IPSec quick mode completes the connection.

(7)

Step 1 – The VPN Client Initiates the IKE Phase 1 Process

– Using pre-shared keys? Initiate aggressive mode (AM).

– Using digital certificates? Initiate main mode (MM).

Remote PC with Easy Remote VPN Client 4.x

Cisco IOS router 12.3(11)T Easy VPN

Server

(8)

Step 2 – The VPN Client Establishes an ISAKMP SA

– The VPN Client attempts to establish an SA between peer IP addresses by sending multiple ISAKMP proposals to the Easy VPN Server.

– To reduce manual configuration on the VPN Client, these

ISAKMP proposals include several combinations of the following –

• Encryption and hash algorithms

• Authentication methods

• Diffie-Hellman group sizes

Server Proposal 1, proposal 2, proposal 3

(9)

Step 3 – The Easy VPN Server Accepts the SA Proposal

– The Easy VPN Server searches for a match –

• The first proposal to match the server’s list is accepted (highest- priority match).

• The most secure proposals are always listed at the top of the Easy VPN Server’s proposal list (highest priority).

– ISAKMP SA is successfully established.

– Device authentication ends and user authentication begins.

Server Proposal 1

Proposal checking

finds proposal 1

match

(10)

Step 4 – Username/Password Challenge

– If the Easy VPN Server is configured for XAUTH, the VPN Client waits for a username/password challenge –

• The user enters a username/password combination.

• The username/password information is checked against authentication entities using AAA.

– All Easy VPN Servers should be configured to enforce user authentication.

Server

Username/password

AAA checking Username/password challenge

(11)

Step 5 – The Mode Configuration Process Is Initiated

– If the Easy VPN Server indicates successful authentication, the VPN Client requests the remaining configuration parameters from the Easy VPN Server –

• Mode configuration starts.

• The remaining system parameters, such as IP address, DNS, split tunneling information, are downloaded to the VPN Client.

– Remember that the IP address is the only required parameter in a group profile. All other parameters are optional.

Cisco IOS router 12.3(11)T Easy VPN

Server Client Requests Parameters

System Parameters via Mode Config

(12)

Step 6 – The RRI Process Is Initiated

– After the Easy VPN Server knows the VPN Client’s assigned IP address, it must determine how to route packets through the appropriate VPN tunnel –

• RRI creates a static route on the Easy VPN Server for each VPN Client’s internal IP address.

• RRI must be enabled on the crypto maps supporting VPN Clients.

Cisco IOS router 12.3(11)T

Easy VPN Server

RRI

static route creation VPN Tunnel

(13)

Step 7 – IPSec Quick Mode Completes the Connection

– After the configuration parameters have been successfully

received by the VPN Client, ISAKMP quick mode is initiated to negotiate IPSec SA establishment.

– After IPSec SA establishment, the VPN connection is complete.

Server Quick mode

IPSec SA establishment

VPN tunnel

(14)

Module 6 – Configure Remote Access VPN

6.2 Configure the EasyVPN

Server

(15)

Easy VPN Server General Configuration Tasks

• The following general tasks are used to configure Easy VPN Server on a Cisco router –

– Task 1 – Create IP address pool.

– Task 2 – Configure group policy lookup.

– Task 3 – Create ISAKMP policy for remote VPN Client access.

– Task 4 – Define group policy for mode configuration push.

– Task 5 – Create a transform set.

– Task 6 – Create a dynamic crypto map with RRI.

– Task 7 – Apply mode configuration to the dynamic crypto map.

– Task 8 – Apply the crypto map to the router interface.

– Task 9 – Enable IKE DPD. – Task 10 – Configure XAUTH.

– Task 11 – (Optional) Enable XAUTH save password feature.

(16)

Task 1 – Create IP Address Pool

router(config)#

ip local pool {default | pool-name low-ip-address [high-ip-address]}

vpngate1(config)# ip local pool REMOTE-POOL 10.0.1.100 10.0.1.150

– Creating a local address pool is optional if an external DHCP server is in use on the network.

vpngate1 Remote client

REMOTE-POOL 10.0.1.100 to

10.0.1.150 Pool

(17)

Task 2 – Configure Group Policy Lookup

router(config)#

aaa authorization network list-name local [method1 [method2…]]

vpngate1(config)# aaa new-model

vpngate1(config)# aaa authorization network VPN-REMOTE-ACCESS local

• Creates a user group for local AAA policy lookup

VPN-REMOTE-ACCESS Group

router(config)#

aaa new-model

(18)

Task 3 – Create ISAKMP Policy for Remote VPN Client Access

vpngate1(config)# crypto isakmp enable vpngate1(config)# crypto isakmp policy 1 vpngate1(config-isakmp)# authen pre-share vpngate1(config-isakmp)# encryption 3des vpngate1(config-isakmp)# group 2

vpngate1(config-isakmp)# exit

Authen – Preshared keys Encryption – 3-DES Diffie-Hellman – Group 2 Other settings – Default

Policy 1

• Use standard ISAKMP configuration commands.

(19)

Task 4 – Define Group Policy for Mode Configuration Push

• Task 4 contains the following steps –

– Step 1 – Add the group profile to be defined.

– Step 2 – Configure the ISAKMP pre-shared key.

– Step 3 – Specify the DNS servers.

– Step 4 – Specify the WINS servers.

– Step 5 – Specify the DNS domain.

– Step 6 – Specify the local IP address pool.

(20)

Task 4-Step 1 – Add the Group Profile to Be Defined

router(config)#

crypto isakmp client configuration group {group-name | default}

vpngate1(config)# crypto isakmp client configuration group VPN-REMOTE-ACCESS vpngate1(config-isakmp-group)#

Key – MYVPNKEY DNS – DNS1 & DNS2 WINS – WINS1 & WINS2 Domain – cisco.com

Pool name – REMOTE-POOL Pool – 10.0.1.100 to 10.0.1.150 Group – VPN-REMOTE-ACCESS

(21)

vpngate1

Task 4-Step 2 – Configure the IKE Pre-Shared Key

router(config-isakmp-group)#

key name

vpngate1(config-isakmp-group)# key MYVPNKEY

(22)

Task 4-Step 3 – Specify the DNS Servers

dns primary-server secondary-server

vpngate1(config-isakmp-group)# dns DNS1 DNS2 vpngate1(config-isakmp-group)# dns

172.26.26.120 172.26.26.130

(23)

Task 4-Step 4 – Specify the WINS Servers

wins primary-server secondary-server

vpngate1(config-isakmp-group)# wins WINS1 WINS2 vpngate1(config-isakmp-group)# wins

172.26.26.160 172.26.26.170

vpngate1

Remote client Key – MYVPNKEY

DNS – DNS1 & DNS2 WINS – WINS1 & WINS2 Domain – cisco.com

Pool name – REMOTE-POOL Pool – 10.0.1.100 to 10.0.1.150 Group – VPN-REMOTE-ACCESS

(24)

Task 4-Step 5 – Specify the DNS Domain

domain name

vpngate1(config-isakmp-group)# domain cisco.com

(25)

Task 4-Step 6 – Specify the Local IP Address Pool

pool name

vpngate1(config-isakmp-group)# pool REMOTE-POOL

(26)

Task 5 – Create Transform Set

router(config)#

crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]

vpngate1(config)# crypto ipsec transform-set VPNTRANSFORM esp-3des esp-sha-hmac

vpngate1(cfg-crypto-trans)# exit

VPNTRANSFORM Transform set name

(27)

Task 6 – Create a Dynamic Crypto Map with RRI

• Task 6 contains the following steps –

– Step 1 – Create a dynamic crypto map.

– Step 2 – Assign a transform set.

– Step 3 – Enable RRI.

(28)

Task 6-Step 1 – Create a Dynamic Crypto Map

router(config)#

crypto dynamic-map dynamic-map-name dynamic-seq-num

vpngate1(config)# crypto dynamic-map DYNMAP 1 vpngate1(config-crypto-map)#

DYNMAP 1

Dynamic Crypto map name/sequence #

(29)

Task 6-Step 2 – Assign Transform Set to Dynamic Crypto Map

router(config-crypto-map)#

set transform-set transform-set-name

[transform-set-name2…transform-set-name6]

vpngate1(config-crypto-map)# set transform-set VPNTRANSFORM

VPNTRANSFORM Transform set name

(30)

Task 6-Step 3 – Enable RRI

router(config-crypto-map)#

reverse-route

vpngate1(config-crypto-map)# reverse-route vpngate1(config-crypto-map)# exit

10.0.1.100 File

server Tunnel

RRI routing announcement to

inside network

(31)

Task 7 – Apply Mode Configuration to Crypto Map

• Task 7 contains the following steps –

– Step 1 – Configure the router to respond to mode configuration requests.

– Step 2 – Enable IKE querying for a group policy.

– Step 3 – Apply the dynamic crypto map to the

crypto map.

(32)

Task 7-Step 1 – Configure Router to Respond to Mode Configuration Requests

router(config)#

crypto map map-name client configuration address {initiate | respond}

vpngate1(config)# crypto map CLIENTMAP client configuration address respond

(33)

Task 7-Step 2 – Enable ISAKMP Querying for Group Policy

router(config)#

crypto map map-name isakmp authorization list list-name

vpngate1(config)# crypto map CLIENTMAP isakmp authorization list VPN-REMOTE-ACCESS

(34)

Task 7-Step 3 – Apply Dynamic Crypto Map to the Crypto Map

router(config)#

crypto map map-name seq-num ipsec-isakmp dynamic dynamic-map-name

vpngate1(config)# crypto map CLIENTMAP 65535 ipsec-isakmp dynamic DYNMAP

CLIENTMAP 65535

Crypto map name/sequence #

(35)

Task 8 – Apply the Crypto Map to Router Outside Interface

vpngate1(config)# interface ethernet0/1 vpngate1(config-if)# crypto map CLIENTMAP vpngate1(config-if)# exit

CLIENTMAP Crypto map name

e0/1

(36)

Task 9 – Enable ISAKMP DPD

router(config)#

crypto isakmp keepalive secs retries

vpngate1(config)# crypto isakmp keepalive 20 10

1) DPD send – Are you there?

2) DPD Reply – Yes I am here.2) DPD reply – Yes, I am here.

(37)

Task 10 – Configure XAUTH

• Task 10 contains the following steps –

– Step 1 – Enable AAA login authentication.

– Step 2 – Set the XAUTH timeout value.

– Step 3 – Enable ISAKMP XAUTH for the

dynamic crypto map.

(38)

Task 10, Step 1 – Enable AAA Login Authentication

router(config)#

aaa authentication login list-name method1 [method2…]

vpngate1(config)# aaa authentication login VPNUSERS local

VPNUSERS VPN user group

(39)

Task 10, Step 2 – Set XAUTH Timeout Value

router(config)#

crypto isakmp xauth timeout seconds

vpngate1(config)# crypto isakmp xauth timeout 20

VPNUSERS VPN user group 20 seconds

(40)

Task 10, Step 3 – Enable ISAKMP XAUTH for Crypto Map

router(config)#

crypto map map-name client authentication list list-name

vpngate1(config)# crypto map CLIENTMAP client authentication list VPNUSERS

VPNUSERS VPN user group

CLIENTMAP Crypto map name

(41)

Task 11 – (Optional) Enable XAUTH Save Password

save-password

Remote client

vpngate1

vpngate1(config)# crypto isakmp client configuration group VPN-REMOTE-ACCESS

vpngate1(config-isakmp-group)# save-password

• This step could have been completed in Step 1 of Task 4

following the crypto isakmp client configuration group command.

(42)

Task 12 – Verify

router#

show crypto map [interface interface | tag map- name]

Router# show crypto map interface ethernet 0

router#

show run

Router# show run

•Displays crypto map configuration.

•Displays running configuration.

(43)

Module 6 – Configure Remote Access VPN

6.3 Configure Easy VPN Remote

for the Cisco VPN Client 4.x

(44)

Configuring Easy VPN Remote for the Cisco VPN Client 4.x – General Tasks

•Task 1 – Install Cisco VPN Client 4.x.

•Task 2 – Create a new client connection entry.

•Task 3 – Choose an authentication method.

•Task 4 – Configure transparent tunneling.

•Task 5 – Enable and add backup servers.

•Task 6 – Configure connection to the Internet

through dial-up networking.

(45)

Task 1 – Install Cisco VPN Client 4.x

(46)

Error Message

(47)

Task 2 – Create a New Client Connection Entry

(48)

Task 3 – Configure Client Authentication

Properties

(49)

Task 4 – Configure Transparent Tunneling

(50)

Task 5 – Enable and Add Backup Servers

(51)

Task 6 – Configure Connection to the Internet

through Dial-up Networking

(52)

Module 6 – Configure Remote Access VPN

6.4 Configure Cisco Easy VPN

Remote for Access Routers

(53)

Easy VPN Remote Client Mode

Cisco 831 router Cisco router (Easy VPN

Server) 12.3(11)T 10.0.0.3

10.0.0.4

10.0.0.2

192.168.100.X

VPN tunnel

(54)

Easy VPN Remote Network Extension Mode

Cisco 831(Easy VPN Remote)

Cisco router (Easy VPN

Server) 12.3(11)T 172.16.10.5

172.16.10.6

.4

172.16.X.X

VPN tunnel

(55)

Easy VPN Remote Configuration General Tasks for Access Routers

• Task 1 – (Optional) Configure the DHCP server pool.

• Task 2 – Configure and assign the Cisco Easy VPN client profile.

• Task 3 – (Optional) Configure XAUTH password save.

• Task 4 – Initiate the VPN tunnel.

• Task 5 – Verify the Cisco Easy VPN configuration.

(56)

Task 1 – Configure the DHCP Server Pool

router(config)#

ip dhcp pool pool-name

router(dhcp-config)#

network ip-address [ mask | /prefix-length]

default-router address [address2 ... addressN]

import all

lease {days [ hours][ minutes] | infinite}

exit

router(config)#

ip dhcp excluded-address lan-ip-address

(57)

Task 1 Example – DHCP Server Pool

20.20.20.0

vpnRemote1(config)# ip dhcp pool CLIENT

vpnRemote1(dhcp-config)# network 10.10.10.0 255.255.255.0

vpnRemote1(dhcp-config)# default-router 10.10.10.1 vpnRemote1(dhcp-config)# import all

vpnRemote1(dhcp-config)# lease 3 vpnRemote1(dhcp-config)# exit

vpnRemote1(config)# ip dhcp excluded-address 10.10.10.1

VPNREMOTE1 VPNGATE1

30.30.30.0 10.10.10.0

.1 .2 .1

(58)

Task 2 – Configure the Cisco Easy VPN Client Profile

router(config)#

crypto ipsec client ezvpn name

router(config-crypto-ezvpn)#

group group-name key group-key

exit

peer [ ip-address | hostname]

mode {client | network-extension | network-plus}

(59)

Task 2 Example – Configure the Cisco Easy VPN Client Profile

vpnRemote1(config)# crypto ipsec client ezvpn VPNGATE1 vpnRemote1(config-crypto-ezvpn)# group VPNREMOTE1 key

MYVPNKEY

vpnRemote1(config-crypto-ezvpn)# peer 20.20.20.2 vpnRemote1(config-crypto-ezvpn)# mode client

vpnRemote1(config-crypto-ezvpn)# exit vpnRemote1(config)#

30.30.30.0 10.10.10.0 20.20.20.0

.1 .2 Group: VPN-REMOTE-ACCESS

Peer: 20.20.20.2 Key: MYVPNKEY Mode: Client

VPNGATE1

.1

(60)

Task 2 Example – Assign Easy VPN Remote to the Interface

vpnRemote1(config)# interface ethernet1

vpnRemote1(config-if)# crypto ipsec client ezvpn VPNGATE1

vpnRemote1(config-if)# exit

VPNGate1

router(config-if)#

crypto ipsec client ezvpn name [inside | outside]

30.30.30.0 10.10.10.0 20.20.20.0

.1 .2 .1

(61)

Task 3 – (Optional) Configure XAUTH Save Password Feature

router(config)#

crypto ipsec client ezvpn name

vpnRemote1(config)# crypto ipsec client ezvpn VPNGATE1

vpnRemote1(config-crypto-ezvpn)# username VPNUSER password VPNPASS

vpnRemote1(config-crypto-ezvpn)# exit

router(config-crypto-ezvpn)#

username aaa-username password aaa-password

(62)

Task 4 – (Optional) Initiate the VPN Tunnel (XAUTH)

– Cisco IOS message: Waiting for valid XAUTH username and password.

01:34:42: EZVPN: Pending XAuth Request, Please enter the following command:

01:34:42: EZVPN: crypto ipsec client ezvpn xauth

vpnRemote1# crypto ipsec client ezvpn xauth Enter Username and Password: vpnusers

Password: ********

crypto ipsec client ezvpn xauth

• With XAUTH: When SA expires, username and password must be manually entered.

• With XAUTH Password Save enabled: When SA expires, the last valid username and password will be reused automatically.

router#

(63)

Task 5 – Verify the Cisco Easy VPN Configuration

vpnRemote1# show crypto ipsec client ezvpn Easy VPN Remote Phase: 2

Tunnel name : VPNGATE1

Inside interface list: Ethernet0, Outside interface: Ethernet1

Current State: IPSEC_ACTIVE Last Event: SOCKET_UP

Address: 30.30.30.24 Mask: 255.255.255.255

DNS Primary: 30.30.30.10 DNS Secondary: 30.30.30.11

NBMS/WINS Primary: 30.30.30.12 NBMS/WINS Secondary: 30.30.30.13 Default Domain: cisco.com

(64)

Easy VPN Remote Configuration Example

version 12.2

hostname VPNREMOTE1

!

username admin privilege 15 password 7 070E25414707485744 ip subnet-zero

ip domain-name cisco.com

ip dhcp excluded-address 10.10.10.1

!

ip dhcp pool CLIENT import all

network 10.10.10.0 255.255.255.0 default-router 10.10.10.1

lease 3

!

crypto ipsec client ezvpn VPNGATE1 connect auto

group VPNREMOTE1 key 0 MYVPNKEY mode client

peer 20.20.20.2

username VPNUSER password 0 VPNPASS

(65)

interface Ethernet0

ip address 10.10.10.1 255.255.255.0

crypto ipsec client ezvpn VPNGATE1 inside

!

interface Ethernet1

ip address 20.20.20.1 255.255.255.0 crypto ipsec client ezvpn VPNGATE1

!

ip classless

ip route 0.0.0.0 0.0.0.0 Ethernet1

ip route 30.30.30.0 255.255.255.0 Ethernet1 ip http server

no ip http secure-server

!

line con 0

no modem enable stopbits 1

line aux 0 line vty 0 4

! end

Easy VPN Remote Configuration Example (Cont.)

(66)